Multivariate signature method for resisting key recovery attack

ABSTRACT

A multivariate signature method for resisting key recovery attack, which establishes a new signature verification condition by adding additional value of signature. The verification condition implies verification of internal information x and y, thereby effectively resisting key recovery attack generated by the existence of equivalence key. Specifically, the method includes the three stages of data preprocessing, signature generation and signature verification. The invention is a signature authentication method based on polynomial equations of a plurality of variables in a finite field, which can effectively resist the key recovery attack, provide the basic technical support for the information security and the establishment of the trust system in the quantum computer era, and provide a secure digital signature option in the quantum era. The present invention is especially suitable for use under application condition which has limited storage and processing time, such as smart cards, wireless sensor networks and dynamic RFID tags.

CROSS REFERENCE OF RELATED APPLICATION

This application claimed priority of one foreign application which is filed in China: application number 201610510658.6 and filing date Jul. 1, 2016. The contents of this specification, including any intervening amendments thereto, are incorporated herein by reference.

BACKGROUND OF THE PRESENT INVENTION Field of Invention

The present invention belongs to the field of information security and relates to signature verification with multivariate public key and message, and more particularly to a multivariate signature method which is capable of resisting key recovery attack.

Description of Related Arts

Digital signature is a method used to identify digital information and is one of the main applications of public key cryptographic system, which is also known as public key digital signature. In the public key cryptography system, the principle of digital signature technology is mainly that a message is signed by a private key signature (encrypted) of a sender, and is sent to a recipient together with the original text. The recipient uses the public key of the sender to decrypt the signature and compares the value of the solution with the original text: if they are the same, the recipient will determine the signature to be legitimate and accepted; if not, the recipient will determine the signature to be illegal signature and rejected. Therefore, digital signatures are often made up of two algorithms, one for signatures and one for authentication, and both parties is capable of processing signature and verification of digital information (messages) in a public network environment.

The security of digital signatures requires to make sure that the source of the message is correct and cannot be forged by others.

At present, for digital signature which is applied to the message, the majority of its security theory is based on the difficulty of large integer decomposition in Number Theory. However, in 1995, an American scientist Peter Shor has proposed a quantum decomposition algorithm, which is capable of processing decomposition of a large number of prime factors and discrete logarithm problems in polynomial time by using the parallelism of quantum computation. In other words, the emergence of quantum computers poses a serious threat to the security of existing digital signatures which are based on traditional cryptographic systems.

The multivariable public key system is a cryptosystem designed on the finite field which is based on the problem solving of multivariable nonlinear equations, its security is based on solving a set of multivariable polynomial equations that are an NP-C difficult problem and is currently considered as an alternative secure cryptographic system in the quantum era. The signature program FLASH, which is proposed in 2004, was selected in the European password plan NRSSIE and became one of the great potential technologies in cryptographic research.

As a new research direction, a multivariable system has the advantages of higher efficiency, higher security and easier hardware implementation when comparing to the system based on number theory in the traditional signature system. However, the existing multivariate signature system has the following problems: the verification conditions of the standard signature model depend only on the public key and only single verification is involved, that is to say, under a key recovery attack, even if the forger does not know the real legal private key, it is also possible to obtain a “legal” signature that can be verified by the public key by reversing the equivalent key corresponding to the public key through the sophisticated structure of the public key. The main reason for this is that signature verification does not involve verification of internal private key information. At present, in the signature system which is based on multivariable public key cryptography, there is no secure multivariate signature scheme which can resist key recovery attack. Therefore, it is necessary to take these issues into account and try to avoid them when designing a new multivariate signature scheme.

SUMMARY OF THE PRESENT INVENTION

In order to overcome the above-mentioned drawbacks in the existing technologies, it is an object of the present invention to provide a more secure multi-variable signature method which can resist key recovery attacks. The method is a signature authentication method based on polynomial equations of a plurality of variables in a finite field. This method can effectively resist the key recovery attack and provide the basic technical support for the information security and the establishment of the trust system in the quantum computer era, and is a secure digital signature option in the quantum era. The method is especially suitable for use under application condition which has limited storage and processing time, such as smart cards, wireless sensor networks and dynamic RFID tags

According to the present invention, the foregoing and other objects and advantages are attained by adding additional value of signature to establish a new signature verification requirement. The verification condition requires implied verification of internal information x and y, thereby effectively resisting key recovery attack generated by the existence of equivalence key.

In particular, the present invention provides a multivariate signature method for resisting key recovery attack, which comprises the following steps:

Step 1: Selecting System Parameters

Taking a finite field F, positive integers n and m, a n-th extended field of F as F^(n), a m-th extended field of F as F^(m). Taking a set of multivariable quadratic polynomial equations q₁(x₁, . . . , x_(n)), . . . , q_(m)(x₁, . . . , x_(n)) from F^(n) to F^(m) which is recorded as Q, and then Q represents a center mapping of multivariate public key cryptographic system, where an input variable is n and an output variable is m. Using Q⁻¹ for the inverse polynomial of polynomial Q, where Q⁻¹ is held by a legitimate user. Taking another reversible affine transformation S and T on F^(n) and F^(m) as a secret key and their inverse polynomials are denoted as S⁻¹ and T⁻¹ respectively. Then randomly selecting a set of n number n-quaternary multivariable polynomial equations (g₁(x₁, . . . , x_(n)), . . . , g_(n)(x₁, . . . , x_(n))) on F^(n), where its polynomial vector is denoted as G, i.e. G(x₁, . . . , x_(n))=(g₁(x₁, . . . , x_(n)), . . . , g_(n)(x₁, . . . , x_(n))), and two unidirectional irreversible polynomial equations set H and {tilde over (H)}. A user secret key consists of three parts, S, T and G. The H and {tilde over (H)} are secret selection of a credible third party that are only used for generating the public key. And the inverse polynomial of G is expressed as G⁻¹. The corresponding public key consists of five polynomials, which are: P=T∘Q∘S, H∘G⁻¹∘S, H∘S, {tilde over (H)}∘Q∘G⁻¹∘S, {tilde over (H)}∘T⁻¹ respectively. The operator ∘ represents a synthesis of operation, processing substituting calculation from left to right in order, for example P(x)=T∘Q∘S(x)=T(Q(S(x)));

Step 2: generating signature

a coding of a known message M is a vector (u₁, . . . , u_(m)) which is denoted as u, a signature is generated by the following steps:

(2.1) generating a forward signature

(2.1a) substituting u=(u₁, . . . , u_(m)) which is the coding of message M into T⁻¹ using the secret key T⁻¹, obtaining (y₁, . . . , y_(m)), which is denoted as y;

(2.1b) substituting the obtained result y into the inverse polynomial Q⁻¹ of the center mapping Q, obtaining (x₁, . . . , x_(n)), which is denoted as x;

(2.1c) substituting the obtained result x into the inverse polynomial S⁻¹ of the secret key S, obtaining (v₁, . . . , v_(n)), which is denoted as v, then v is the forward signature of the coding u of the message M;

(2.2) generating a backward signature

(2.2a) substituting the obtained result x into the secret key G, obtaining G(x₁, . . . , x_(n)), =(g₁ (x₁, . . . , x_(n)), . . . , g_(n)(x₁, . . . , x_(n)))=(g₁, . . . , g_(n)), which is denoted as g;

(2.2b) substituting the obtained result g into the inverse polynomial S⁻¹ of the secret key S, obtaining S⁻¹(g)=S⁻¹∘G(x)=(v_(g1), . . . , v_(gn)), which is denoted as v_(g), then v_(g) is the backward signature of the coding u of the message M;

(2.3) processing a cascade of the forward signature and the back signature v∥v_(g), which is the signature of the coding u of the message M;

Step 3, verifying the signature

(3.1) using public key P to process verification

(3.1a) substituting the forward signature v=(v₁, . . . , v_(n)) into the public key P, obtaining P(v₁, . . . , v_(n))=(p₁ (v₁, . . . , v_(n)), . . . , p_(m)(v₁, . . . , v_(n))), and recording obtained results as u′=(u′₁, . . . , u′_(n));

(3.1b) determining if u′ equals to the coding u of the original message M;

(3.2) using public key H∘S and H∘G⁻¹∘S to process verification;

(3.2a) substituting the forward signature v=(v₁, . . . , v_(n)) into the public key H∘S, obtaining H∘S(v)=H∘S(v₁, . . . , v_(n))=H(S(v₁, . . . , v_(n))), and recording obtained results as h=(h₁, . . . , h_(n));

(3.2b) substituting the backward signature v_(g)=(v_(g1), . . . , v_(gn)) into the public key H∘G⁻¹∘S, obtaining H∘G⁻¹∘S(v_(g))=H∘G⁻¹∘S(v_(g1), . . . , v_(gn))=H(G⁻¹ (S(v_(g1), . . . , v_(gn)))), and recording obtained results as h′=(h′₁, . . . , h′_(n));

(3.2c) determining if h and h′ are equal;

(3.3) using public key {tilde over (H)}∘Q∘G⁻¹∘S and {tilde over (H)}∘T⁻¹ to process verification:

(3.3a) for the coding u of the message M, substituting u into the public key {tilde over (H)}∘T⁻¹, obtaining {tilde over (H)}∘T⁻¹(u)={tilde over (H)} (T⁻¹(u)), and recording obtained results as {tilde over (h)}=({tilde over (h)}₁, . . . , {tilde over (h)}_(n));

(3.3b) for the backward signature v_(g), substituting v_(g) into the public key {tilde over (H)}∘Q∘G⁻¹∘S, obtaining {tilde over (H)}∘Q∘G⁻¹ ∘S(v_(g))={tilde over (H)}(Q(G⁻¹ (S(v_(g))))), recording obtained results as {tilde over (h)}′=({tilde over (h)}′₁, . . . , {tilde over (h)}′_(n));

(3.3c) determining if {tilde over (h)} and {tilde over (h)}′ are equal;

if (3.1b), (3.2c) and (3.3c) are true, then v∥v_(g) is a legitimate signature of the coding u of the message M, otherwise, the signature is invalid and will be rejected.

In the step 1, all of the S, T, G are reversible affine transformation.

Compared with the existing technology, the advantageous of the present invention are as follows:

1) The present invention is based on a signature model of a multivariable public key cryptosystem, and therefore, it is resistant to conventional quantum attacks;

2) The invention is based on the public key cryptosystem of the multivariable polynomial equations on a finite field. Its operation is additive and low-order multiplication without exponential and inverse operation. Therefore, it is more efficient and secure than the traditional system which is based on number theory;

3) The signature generated by the present invention consists of two parts: a forward signature v and a backward signature v_(g). The generation of the forward signature v requires possession of the legitimate secret key S and T, and the generation of the backward signature v_(g) requires possession of the legitimate secret key S, G and T Accordingly, compared with the existing multivariate signature scheme which only utilizes forward signature, the present invention alleviates the danger from the attacker;

4) The signature v∥v_(g) generated by the present invention are composed of two parts: v and v_(g), and they are interrelated to each other. Also, v and v_(g), are required to satisfy two hidden associated verification: S(v)=x=G⁻¹∘S (v_(g)) and T⁻¹ (u)=y=Q∘G⁻¹∘S (v_(g)) of the secret keys S, G and T These two verifications are established if and only if they have the correct secret keys S, G and T. The backward signature cannot be obtained solely by the possession of public key in the absence of the legitimate secret keys S, G and T. Therefore, compared with the existing signature verification model which only requires u to satisfy the public key P, the present invention includes a backward signature verification, which is effective against key recovery attacks and hence it is more secure.

Further objects and advantages will become apparent from a consideration of the ensuing description and drawings.

These and other objectives, features, and advantages of the present invention will become apparent from the following detailed description, the accompanying drawings, and the appended claims.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic diagram, showing the principle of the signature generation according to a preferred embodiment of the present invention.

FIG. 2 is a schematic diagram, showing the principle of the signature verification according to a preferred embodiment of the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

The preferred embodiments of the present invention are further described in detail with reference to the accompanying drawings and embodiments.

I. The Mathematical Theory Applied by the Present Invention

(1) Finite Field

A finite field is a set of finite elements that contain two operations pf addition and multiplication, and that satisfies the properties of both addition and multiplication with the combined law, the exchange law, the inverse element of nonzero element, and the distribution rate of multiplication to addition. The number of elements in the field is called the order of the domain. The q-order finite field is often recorded as F=GF(q) or abbreviated as F. The operations on a finite field are modulo operations.

Transformation

F is a finite field, (y₁, . . . , y_(n))=f(x₁, . . . , x_(n)), x_(i), y_(i)∈F is call a transformation, which refers to the existence of rules of changes which cause (x₁, . . . , x_(n)) to process through the rules of changes to become (y₁, . . . , y_(n)), the rules of changes is recorded as f and called transformation.

Multivariate Problem

Multivariate problems are also referred to as multivariable quadratic-difficult problems. Since the security of the multivariable public key cryptosystem is based on solving a set of multivariable nonlinear polynomial equations on a finite field: p ₁(x ₁ , . . . ,x _(n))=p ₂(x ₁ , . . . ,x _(n))= . . . =p _(m)(x ₁ , . . . ,x _(n))=0,

the problem to be solved is an NP-C problem, wherein the coefficients and variables of p_(i) are taken from the finite field F. Usually, the equation p_(i) is quadratic. Based on the scheme of multivariable problem construction, the pre-security basis comes from the difficulty of direct cracking the public key quadratic equation, that is, the known public-key solution equations are a nondeterministic polynomial time-complete (NP-C) difficult problem.

II. Implementation Method

Step 1: selecting system parameters:

Taking a finite field F, positive integers n and m, a n-th extended field of F as F_(n), a m-th extended field of F as F_(m), taking a set of multivariable quadratic polynomial equations q₁(x₁, . . . , x_(n)), . . . , q_(m)(x₁, . . . , x_(n)) from F^(n) to F^(m) which is recorded as Q and then Q represents a center mapping of multivariate public key cryptographic system, where an input variable is n and an output variable is m, using Q⁻¹ for the inverse polynomial of polynomial Q, where Q⁻¹ is held by a legitimate user, taking another reversible affine transformation S and T on F^(n) and F^(m) as a secret key and their inverse polynomials are recorded as S⁻¹ and T⁻¹ respectively, then randomly selecting a set of n number n-quaternary multivariable polynomial equations (g₁(x₁, . . . , x_(n)), . . . , g_(n)(x₁, . . . , x_(n))) on F_(n), where its polynomial vector is recorded as G, that is G(x₁, . . . , x_(n)),=(g₁(x₁, . . . , x_(n)), . . . , g_(n)(x₁, . . . , x_(n))), and two unidirectional irreversible polynomial equations set H and {tilde over (H)}, wherein a user secret key consists of three parts, S, T and G, wherein H and {tilde over (H)} are secret selection of a credible third party which is only used for generating public key, where the inverse polynomial of G is expressed as G⁻¹, the corresponding public key consists of five polynomials, which are: P=T∘Q∘S, H∘G⁻¹∘S, H∘S, {tilde over (H)}∘Q∘G⁻¹∘S, {tilde over (H)}∘T⁻¹ respectively, where the operator ∘ represents a synthesis of operation, which is, processing substituting calculation from left to right in order.

Step 2: generating signature

a coding of a known message M is vector (u₁, . . . , u_(m)) which is recorded as u, a signature is generated by the following steps:

(2.1) generating a forward signature:

(2.1a) substituting u=(u₁, . . . , u_(m)) which is the coding of message M into T⁻¹ by the secret key T⁻¹, obtaining (y₁, . . . , y_(n)), which is recorded as y;

(2.1b) substituting the obtained result y from the above step (2.1a) into the inverse polynomial Q⁻¹ of the center mapping Q, obtaining (x₁, . . . , x_(n)), which is recorded as x;

(2.1c) substituting the obtained result x from the above step (2.1b) into the inverse polynomial S⁻¹ of the secret key S, obtaining (v₁, . . . , v_(n)), which is recorded as v, then v is the forward signature of the coding u of the message M.

(2.2) generating a backward signature

(2.2a) substituting the obtained result x from the above step (2.1b) into the secret key G, obtaining G(x₁, . . . , x_(n)),=(g₁(x₁, . . . , x_(n)), . . . , g_(n)(x₁, . . . , x_(n)))=(g₁, . . . , g_(n)), which is recorded as g;

(2.2b) substituting the obtained result g from the above step (2.2a) into the inverse polynomial S⁻¹ of the secret key S, obtaining S⁻¹(g)=S⁻¹ ∘G(x)=(v_(g1), . . . , v_(gn)), which is recorded as v_(g), then v_(g) is the backward signature of the coding u of the message M;

(2.3) processing a cascade of the forward signature and the back signature v∥v_(g), which is the signature of the coding u of the message M.

Referring to FIG. 2 of the drawings, the implementation of signature verification according to the present invention is as follows:

Step 3, verifying the signature:

(3.1) using public key P to process verification.

(3.1a) substituting the forward signature v=(v₁, . . . , v_(n)) into the public key P, obtaining P(v₁, . . . , v_(n))=(p₁(v₁, . . . , v_(n)), . . . , p_(m)(v₁, . . . , v_(n))), obtaining and recording results as u′=(u′₁, . . . , u′_(n)).

(3.1b) determining if u′ equals to the coding u of the original message M.

(3.2) using public key H S and H S to process verification.

(3.2a) substituting the forward signature v=(v₁, . . . , v_(n)) into the public key H∘S, obtaining H∘S(v)=H∘S(v₁, . . . , v_(n))=H(S(v₁, . . . v_(n))), and recording obtained results as h=(h₁, . . . , h_(n));

(3.2b) substituting the backward signature v_(g)=(v_(g1), . . . , v_(gn)) into the public key H∘G⁻¹∘S, obtaining H∘G⁻¹ ∘S(v_(g))=H∘G⁻¹∘S(v_(g1), . . . , v_(gn))=H(G⁻¹ (S(v_(g1), . . . , v_(gn)))), and recording obtained results as h′=(h′₁, . . . , h′_(n));

(3.2c) determining if h and h′ are equal.

(3.3) using public key {tilde over (H)}∘Q∘G⁻¹∘S and {tilde over (H)}∘T⁻¹ to process verification.

(3.3a) for the coding u of the message M, substituting u into the public key {tilde over (H)}∘T⁻¹, obtaining {tilde over (H)}∘T⁻¹(u)={tilde over (H)} (T⁻¹(u)), and recording obtained results as {tilde over (h)}={tilde over (h)}₁, . . . , {tilde over (h)}_(n));

(3.3b) for the backward signature v_(g), substituting v_(g) into the public key {tilde over (H)}∘Q∘G⁻¹∘S, obtaining {tilde over (H)}∘Q∘G⁻¹∘S(v_(g))={tilde over (H)} (Q(G⁻¹(S(v_(g))))), recording obtained results as {tilde over (H)}′=({tilde over (h)}′₁, . . . , {tilde over (h)}′_(n));

(3.3c) determining if {tilde over (h)} and {tilde over (h)}′ are equal.

If (3.1b), (3.2c) and (3.3c) are true, then v∥v_(g) is a legitimate signature of the coding u of the message M, otherwise, the signature is invalid and rejected.

The present invention provides a signature scheme based on a finite field, which is a correct scheme and is capable of resisting a key recovery attack.

The Correctness of the Signature

Let the recipient receives the signature V∥v_(g), If the signature is progressively generated as described above and does not change during transmission, then due to:

(1) Since the forward signature v is generated by sequentially processing the coding of message M by private key T⁻¹, center mapping Q⁻¹ and private key S⁻¹, that is v=(v₁, . . . , v_(n))=S⁻¹∘Q⁻¹∘T⁻¹(u₁, . . . , u_(m)), then obviously, by substituting the resulting forward signature v into the public key P, we have established

$\begin{matrix} {{P(v)} = {P\left( {S^{- 1} \circ Q^{- 1} \circ {T^{- 1}\left( {u_{1},\ldots\mspace{14mu},u_{m}} \right)}} \right)}} \\ {= {P \circ S^{- 1} \circ Q^{- 1} \circ {T^{- 1}(u)}}} \\ {{= {{T \circ Q \circ S \circ S^{- 1} \circ Q^{- 1} \circ {T^{- 1}(u)}} = u}},} \end{matrix}$

i.e. the verification formula (3.1b) is established.

(2) From the backward signature v_(g)=S⁻¹ ∘G(x₁, . . . , x_(n)) and the forward signature v=S⁻¹(x₁, . . . , x_(n)), then obviously, S(v)=(x₁, . . . , x_(n))=G⁻¹∘S(v_(g)), and then we obtain H∘S(v) and H∘G⁻¹∘S(v_(g)) are equal, i.e. the verification formula (3.2c) is established.

(3) From the backward signature v_(g)=S⁻¹ ∘G(x₁, . . . , x_(n)) and the coding u of message M, then Q∘G⁻¹∘S(v_(g))=y=T⁻¹(u), and then we have H∘G⁻¹∘S(v_(g))=H∘S(v) established, i.e. the verification formula (3.3c) is established.

Anti-Forgery of the Signature

The present invention provides a signature scheme, which is based on a multivariable polynomial, is unforgeable to the signature forgery attack of known public key. In the following, it is theoretically proven from the cryptographic theory that the digital signature scheme of the present invention can resist signature forgery attacks, and in particular, key recovery attacks against multivariable cryptographic systems.

Proof: It is well known that the multivariable system has an “equivalent key” characteristic, that is, the same public key corresponds to multiple private keys, which is also known as “Key Redundancy”, and is reflected as follows: for two different private keys (T, Q, S) and (T′, Q, S′), we have T∘Q∘S=P=T′∘Q∘S′. Therefore, key recovery attack refers to as long as the attacker in attacking a multi-variable system gets an equivalent private key (T′, Q, S), even if the correct private key is not obtained (T, Q, S), the attack can also success. The model provided by the present invention can effectively defend against the attack. The proof is provided as follows:

If an attacker wants to successfully forge a signature, there must be a forward signature v and a backward signature v_(g) that can be established through (3.1b), (3.2c) and (3.3c). However, even if the forger (the attacker) can obtain an equivalent key (T′, Q, S′) through a key recovery attack to obtain a forward signature, which is recorded as {circumflex over (v)}, and a backward signature which is recorded as {circumflex over (v)}_(g), the verification of (3.1c) and (3.2c) cannot be established. This is because the public keys H∘G⁻¹∘S and H∘S set a limitation that the private key for generating the signature must be S and cannot be the equivalent key, such as Ŝ; the public keys {tilde over (H)}∘Q∘G⁻¹∘S and {tilde over (H)}∘T⁻¹ then set a limitation that the private key for generating the signature must be T and cannot be the equivalent key, such as {circumflex over (T)}. Accordingly, in the absence of the correct private keys S and T, even if the forger can generate a signature by key recovery attack through equivalent key, the signature cannot be validated by the verification of (3.2c) and (3.3c) because the signature is not generated by the correct private keys S and T. If the attacker randomly guesses a forward signature v and a backward signature v_(g), then since both {circumflex over (v)} and {circumflex over (v)}_(g) are n-vector derived from the q-order finite field, so the probability of success is only

$\frac{1}{q^{{2n}\;}}->0$ (q is the order of the finite field).

From above, the present invention is effective against an equivalent key recovery attack against a multivariate signature system.

III. Preferred Embodiment

Select center mapping of HFE (Hidden Field Equations) multi-variable system as an example, the signature scheme is as follows:

(1) HFE embodiment

Let

be a q-order finite field,

be the n-order extension of

, π:

→

^(n) be the isomorphic mapping of the extended domain to the vector space, where π(a₀+a₁ x+ . . . +a_(n-1) x^(n-1))=(a₀, . . . , a_(n-1)). Center mapping:

${{\overset{\sim}{Q}(X)}:={{\sum\limits_{\underset{{q^{i} + q^{j}} \leq d}{{0 \leq i},{j \leq d}}}{C_{i,j}X^{q^{i} + q^{j}}}} + {\sum\limits_{\underset{q^{k} \leq d}{0 \leq k \leq d}}{B_{k}X^{q^{k}}}} + A}},$

where i, j ∈

, frequency is d ∈

, (d∈

is the degree,

is integer) C_(ij)∈

is quadratic coefficient, B_(k)∈

is a monomial coefficient, A∈

is a constant, that these coefficients are randomly selected and the degree must be less than the parameter d.

Q is a reversible transformation which can be obtained by a variant of the Berlekamp algorithm on the domain, the complexity of this step is O(nd² log d+d³), therefore the parameter d cannot be too large. The center mapping Q(x₁, . . . , x_(n)) is the mapping from

to

, which is: Q(x ₁ , . . . ,x _(n))=(q ₁(x ₁ , . . . ,x _(n)), . . . ,q _(n)(x ₁ , . . . ,x _(n)))=π∘Q∘π ⁻¹(x ₁ , . . . ,x _(n)),

Wherein q_(i) (x₁, . . . , x_(n))=1, . . . , m is the quadratic polynomial equation of n variables. Let S and T be two random reversible affine transformation on

_(n), then define P(x₁, . . . , x_(n))=(p₁(x₁, . . . , x_(n)), . . . , p_(n)(x₁, . . . , x_(n)))=R∘Q∘S(x₁, . . . , x_(n)). Here, all of the polynomials is a second-degree polynomial.

The system is used as a signature algorithm and the process is as follows.

Alice wants to send Bob a message (v₁, . . . , v_(n)) signed by herself. First, she uses her private key S_(Alice), T_(Alice) for the coding (u₁, . . . u_(m)) of message M to carry out signature: (I) calculate (y₁, . . . , y_(m))=T⁻¹ _(Alice)(u₁, . . . , u_(m)); (II) calculate (x₁, . . . , x_(n))=Q⁻¹(y₁, . . . , y_(m))=π∘{tilde over (Q)}⁻¹∘π⁻¹(y₁, . . . , y_(m)); (III) calculate (v₁, . . . , v_(n))=S⁻¹ _(Alice)(x₁, . . . , x_(n)); then send the message (u₁, . . . , u_(m)) and signature (v₁, . . . , v_(n)) together to Bob through communication network.

Bob receives the message (u₁, . . . , u_(m)) and the signature (v₁, . . . , v_(n)) together through public channel from Alice and wants to determine whether the signature is really come from Alice. So Bob found Alice's public key in the public to verify. Bob uses P_(Alice) to calculate P_(Alice) (v₁, . . . , v_(n)) for the signature (v₁, . . . , v_(n)), the results is recorded as (u′₁, . . . , u′_(m)), then determines if the value (u′₁, . . . , u′_(m)) is equal to the original message (u₁, . . . , u_(m)), if they are equal, then the signature (v₁, . . . , v_(n)) is accepted, if not then rejected.

When multivariate system is used as a signature scheme, as with the traditional multivariate signature model, only the public key authentication is required and whether the user has a valid private key is not verified. The original HFE system has been cracked: in 1999, Kipins and Shamir use a recalculation method to provide an effective key recovery attack.

(2) In the followings, take Q as the center mapping of the HFE system.

Alice gives a secure signature by selecting a reversible quadratic polynomial polynomial G_(Alice) as a private key and two random unidirectional irreversible polynomials H and {tilde over (H)} as auxiliary functions.

When Alice wants to send Bob a message (u₁, . . . , u_(m)) signed by herself, (I) use her private key T_(Alice), calculate (y₁, . . . , y_(m))=T⁻¹ _(Alice) (u₁, . . . , u_(m)); (II) calculate (x₁, . . . , x_(n))=Q⁻¹(y₁, . . . , y_(m))=π∘{tilde over (Q)}⁻¹∘π⁻¹(y₁, . . . , y_(m)); (III) use private key S_(Alice), calculate (v₁, . . . , v_(n))=S⁻¹ _(Alice)(x₁, . . . , x_(n)); (IV) use private key G_(Alice), calculate G_(Alice)=G(x₁, . . . , x_(n))=(g₁(x₁, . . . , x_(n)), . . . , g_(n)(x₁, . . . , x_(n)))=(g₁, . . . , g_(n)); (V) use private key S_(Alice), calculate (v_(g1), . . . , v_(gn))=S⁻¹(g)=S⁻¹∘G(x); (VI) cascade (v₁, . . . , v_(n)) and (v_(g1), . . . , v_(gn)) to obtain v₁, . . . , v_(n)∥v_(g1), . . . , v_(gn), which is the signature of the message (u₁, . . . , u_(m)).

Bob receives the message (u₁, . . . , u_(m)) and the signature v₁, . . . , v_(n)∥v_(g1), . . . , v_(gn) through public channel from Alice. Bob wants to determine whether the signature is really come from Alice. Bob found Alice's public key P_(Alice), H∘S_(Alice), H∘G⁻¹∘S_(Alice), {tilde over (H)}∘Q∘G⁻¹∘S_(Alice) and {tilde over (H)}∘T⁻¹ _(Alice), in the public, then process verification of the signature v₁, . . . , v_(n)∥v_(g1), . . . , v_(gn):

(I) Bob uses Alice's public key P_(Alice), substitute forward signature v=(v₁, . . . , v_(n)) into P_(Alice), obtain the results and record as (u′₁, . . . , u′_(m)), determine whether the value (u′₁, . . . , u′_(m)) is equal to the original message (u₁, . . . , u_(m)), if they are the same, then step (II) determination is carried out, otherwise rejected the signature.

(II) Bob substitute backward signature (v_(g1), . . . , v_(gn)) into {tilde over (H)}∘Q∘G⁻¹∘S_(Alice), to obtain {tilde over (H)}∘Q∘G⁻¹∘S_(Alice) (v_(g1), . . . , v_(gn)), the results obtained is recorded as ({tilde over (h)}′₁, . . . , {tilde over (h)}′_(m)); substitute the message (u₁, . . . , u_(m)) into public key {tilde over (H)}∘T⁻¹ _(Alice), obtain the result {tilde over (H)}∘T⁻¹ _(Alice)(u₁, . . . , u_(n)), record as ({tilde over (h)}₁, . . . , {tilde over (h)}_(m)), then determine whether ({tilde over (h)}′₁, . . . , {tilde over (h)}′_(m)) and ({tilde over (h)}′₁, . . . , {tilde over (h)}_(m)) are equal, if they are equal, then Bob will accept the signature of the message, if not, the signature is invalid and rejected.

Obviously, in the application of the new model on HFE, for the same message (u₁, . . . , u_(m)), the signature is change from the original (v₁, . . . , v_(n)) to v₁, . . . , v_(n)∥v_(g1), . . . , v_(gn). During verification, in addition to the original verification by using public key P, to verify whether P(v₁, . . . , v_(n)) is equal to (u₁, . . . , u_(n)), addition verification which is related to private key is required to determine whether H∘G⁻¹∘S_(Alice)(v₁, . . . , v_(n)) is equal to H∘S_(Alice)(v_(g1), . . . , v_(gn)), and {tilde over (H)}∘T⁻¹ _(Alice)(u₁, . . . , u_(m)) is equal to {tilde over (H)}∘Q∘G⁻¹∘S_(Alice)(v_(g1), . . . , v_(gn)).

All three equations must be verified in order to obtain that v₁, . . . , v_(n)∥v_(g1), . . . , v_(gn) is a correct signature. The scheme can effectively resist the key recovery attack, and has increased security level when compared to the original scheme.

One skilled in the art will understand that the embodiment of the present invention as shown in the drawings and described above is exemplary only and not intended to be limiting. It will thus be seen that the objects of the present invention have been fully and effectively accomplished. It embodiments have been shown and described for the purposes of illustrating the functional and structural principles of the present invention and is subject to change without departure from such principles. Therefore, this invention includes all modifications encompassed within the spirit and scope of the following claims. 

What is claimed is:
 1. A multivariate signature method for resisting Key Recovery Attack, characterized in that, the method comprises the steps of: Step 1: selecting system parameters: Taking a finite field F, positive integers n and m, a n-th extended field of F as F^(n), a m-th extended field of F as F^(m), taking a set of multivariable quadratic polynomial equations q₁(x₁, . . . , x_(n)), . . . , q_(m)(x₁, . . . , x_(n)) from F^(n) to F^(m) which is recorded as Q and then Q represents a center mapping of multivariate public key cryptographic system, where an input variable is n and an output variable is m, using Q⁻¹ for the inverse polynomial of polynomial Q, where Q⁻¹ is held by a legitimate user, taking another reversible affine transformation S and T on F^(n) and F^(m) as a secret key and their inverse polynomials are recorded as S⁻¹ and T⁻¹ respectively, then randomly selecting a set of n number n-quaternary multivariable polynomial equations (g₁(x₁, . . . , x_(n)), . . . , g_(n)(x₁, . . . , x_(n))) on F^(n), where its polynomial vector is recorded as G, that is G(x₁, . . . , x_(n)),=(g₁(x₁, . . . , x_(n)), . . . , g_(n)(x₁, . . . , x_(n))), and two unidirectional irreversible polynomial equations set H and {tilde over (H)}, wherein a user secret key consists of three parts, S, T and G, wherein H and {tilde over (H)} are secret selection of a credible third party which is only used for generating public key, where the inverse polynomial of G is expressed as G⁻¹, the corresponding public key consists of five polynomials, which are: P=T∘Q∘S, H∘G⁻¹∘S, H∘S, {tilde over (H)}∘Q∘G⁻¹∘S, {tilde over (H)}∘T⁻¹ respectively, where the operator ∘ represents a synthesis of operation, which is, processing substituting calculation from left to right in order; Step 2: generating signature: a coding of a known message M is vector (u₁, . . . , u_(m)) which is recorded as u, a signature is generated by the following steps: (2.1) generating a forward signature: (2.1a) substituting u=(u₁, . . . , u_(m)) which is the coding of message M into T⁻¹ by the secret key T⁻¹, obtaining (y₁, . . . , y_(m)), which is recorded as y; (2.1 b) substituting the obtained result y into the inverse polynomial Q⁻¹ of the center mapping Q, obtaining (x₁, . . . , x_(n)), which is recorded as x; (2.1c) substituting the obtained result x into the inverse polynomial S⁻¹ of the secret key S, obtaining (v₁, . . . , v_(n)), which is recorded as v, then v is the forward signature of the coding u of the message M; (2.2) generating a backward signature: (2.2a) substituting the obtained result x into the secret key G, obtaining G(x₁, . . . , x_(n)),=(g₁(x₁, . . . , x_(n)), . . . , g_(n)(x₁, . . . , x_(n)))=(g₁, . . . , g_(n)), which is recorded as g; (2.2b) substituting the obtained result g into the inverse polynomial S⁻¹ of the secret key S, obtaining S⁻¹(g)=S⁻¹∘G(x)=(v_(g1), . . . , v_(gn)), which is recorded as v_(g), then v_(g) is the backward signature of the coding u of the message M; (2.3) processing a cascade of the forward signature and the back signature v∥v_(g), which is the signature of the coding u of the message M; Step 3, verifying the signature: (3.1) using public key P to process verification: (3.1a) substituting the forward signature v=(v₁, . . . , v_(n)) into the public key P, obtaining P(v₁, . . . , v_(n))=(p₁(v₁, . . . , v_(n)), . . . , p_(m)(v₁, . . . , v_(n))), obtaining and recording results as u′=(u′₁, . . . , u′_(n)); (3.1b) determining if u′ equals to the coding u of the original message M; (3.2) using public key H∘S and H∘G⁻¹∘S to process verification: (3.2a) substituting the forward signature v=(v₁, . . . , v_(n)) into the public key H∘S, obtaining H∘S(v)=H∘S(v₁, . . . , v_(n))=H(S(v₁, . . . , v_(n))), and recording obtained results as h=(h₁, . . . , h_(n)); (3.2b) substituting the backward signature v_(g)=(v_(g1), . . . , v_(gn)) into the public key H∘G⁻¹∘S, obtaining H∘G⁻¹∘S(v_(g))=H∘G⁻¹∘S(v_(g1), . . . , v_(gn))=H(G⁻¹(S(v_(g1), . . . , v_(gn)))), and recording obtained results as h′=(h′₁, . . . , h′_(n)); (3.2c) determining if h and h′ are equal; (3.3) using public key {tilde over (H)}∘Q∘G⁻¹∘S and {tilde over (H)}∘T⁻¹ to process verification: (3.3a) for the coding u of the message M, substituting u into the public key {tilde over (H)}∘T⁻¹, obtaining {tilde over (H)}∘T⁻¹(u)={tilde over (H)}(T⁻¹(u)), and recording obtained results as {tilde over (h)}=(h₁, . . . , {tilde over (h)}_(n)); (3.3b) for the backward signature v_(g), substituting v_(g) into the public key {tilde over (H)}∘Q∘G⁻¹∘S, obtaining {tilde over (H)}∘Q∘G⁻¹∘S(v_(g))={tilde over (H)}(Q(G⁻¹(S(v_(g))))), recording obtained results as {tilde over (h)}′=({tilde over (h)}′₁, . . . , {tilde over (h)}′_(n)); (3.3c) determining if {tilde over (h)} and {tilde over (h)}′ are equal; if (3.1b), (3.2c) and (3.3c) are true, then v∥v_(g) is a legitimate signature of the coding u of the message M, otherwise, the signature is invalid and rejected.
 2. The multivariate signature method for resisting Key Recovery Attack, characterized in that, in the step 1, all of the S, T, G are reversible affine transformation. 